Fix buffer overflow in ulpfec recovery
Bug: chromium:856823
Change-Id: I21fe21789ed3efbf71b5d3e234740a50c7911f6c
Reviewed-on: https://webrtc-review.googlesource.com/88228
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23947}diff --git a/modules/rtp_rtcp/source/forward_error_correction.cc b/modules/rtp_rtcp/source/forward_error_correction.cc
index b743110..d54f5d6 100644
--- a/modules/rtp_rtcp/source/forward_error_correction.cc
+++ b/modules/rtp_rtcp/source/forward_error_correction.cc
@@ -609,8 +609,8 @@
size_t dst_offset,
Packet* dst) {
// XOR the payload.
- RTC_DCHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
- RTC_DCHECK_LE(dst_offset + payload_length, sizeof(dst->data));
+ RTC_CHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
+ RTC_CHECK_LE(dst_offset + payload_length, sizeof(dst->data));
for (size_t i = 0; i < payload_length; ++i) {
dst->data[dst_offset + i] ^= src.data[kRtpHeaderSize + i];
}
@@ -627,7 +627,8 @@
recovered_packet->seq_num = protected_packet->seq_num;
} else {
XorHeaders(*protected_packet->pkt, recovered_packet->pkt);
- XorPayloads(*protected_packet->pkt, protected_packet->pkt->length,
+ XorPayloads(*protected_packet->pkt,
+ protected_packet->pkt->length - kRtpHeaderSize,
kRtpHeaderSize, recovered_packet->pkt);
}
}
